allowing anyone to browse and print (NT 4.0 SP3, 9.18p10)

Christoph Kukulies kuku at gilberto.physik.RWTH-Aachen.DE
Wed Oct 14 09:04:14 GMT 1998 

I'm having lots of hassles and troubles since I moved to 1.18p10:

1\   Why do I need a smbpasswd and have to have a user equivalent
     on the unix machine when an NT user wants to print via an smb
     printer? My NT/Win users shouldn't need to know
     anything about unix and I don't want to tell them "you have
     to log into my unix machine and invoke /usr/local/samba/bin/smbpasswd
     and type in your password". 

2\   I can limit access to my smb server(s) via smb.conf by allowing
     only certain networks as I understand. So my question:
     Can someone post a smb.conf which is as open as possible WRT printing?

Here is mine:
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash) 
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not many any basic syntactic errors. 
#
#======================= Global Settings =====================================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = IPHY

# server string is the equivalent of the NT Description field
   server string = Samba Server

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
   hosts allow = 192.168.0. 192.168.1.

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   load printers = yes

# you may wish to override the location of the printcap file
   printcap name = /etc/printcap

# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
;   printcap name = lpstat

# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
   printing = bsd

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
;  guest account = pcguest

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /usr/local/samba/var/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Security mode. Most people will want user level security. See
# security_level.txt for details.
   security = user
# Use password server option only with security = server
;   password server = <NT-Server-Name>

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
  password level = 8

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
  encrypt passwords = yes

# Unix users can map to different SMB User names
;  username map = /etc/smbusers

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /usr/local/samba/lib/smb.conf.%m

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
   socket options = TCP_NODELAY 

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
;   interfaces = 192.168.12.2/24 192.168.13.2/24 

# Configure remote browse list synchronisation here
#  request announcement to, or browse list sync from:
#	a specific host or from / to a whole subnet (see below)
;   remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
;   remote announce = 192.168.1.255 192.168.2.44

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
;  local master = no

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
   os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
;   domain master = yes 

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;   preferred master = yes

# Use only if you have an NT server on your network that has been
# configured at install time to be a primary domain controller.
;   domain controller = <NT-Domain-Controller-SMBName>

# Enable this if you want Samba to be a domain logon server for 
# Windows95 workstations. 
;   domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
;   logon path = \\%L\Profiles\%U

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
;   wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#	Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one	WINS Server on the network. The default is NO.
;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
   dns proxy = yes

# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
;  preserve case = no
;  short preserve case = no
# Default case is normally upper case for all DOS files
;  default case = lower
# Be very careful with case sensitivity - it can break things!
;  case sensitive = no

#============================ Share Definitions ==============================
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
;   comment = Network Logon Service
;   path = /usr/local/samba/lib/netlogon
;   guest ok = yes
;   writable = no
;   share modes = no


# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
;    path = /usr/local/samba/profiles
;    browseable = no
;    guest ok = yes


# NOTE: If you have a BSD-style print system there is no need to 
# specifically define each individual printer
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = yes
# Set public = yes to allow user 'guest account' to print
   guest ok = yes
   writable = no
   printable = yes
   public = yes
....

What's wrong?

The last effect I had was that the NT user in question for instance
could browse my samba machine, could install printers etc. but when
prining the testpage for example he got analert box:

permission denied - could not write (or something).

Here's the log:

Allowed connection from host.domain (192.168.0.1) to ep_txt
Trying username ep_txT
ACCEPTED: validated uid ok as non-guest
found free connection number 39
Connect path is /var/spool/samba
willi is in 2 groups
1011 1011 
trying claim /usr/local/samba/var/locks STATUS. 1000
become_user uid=(0,1011) gid=(1011,1011)
chdir to /var/spool/samba
chdir to /usr/local/samba/lib
unbecome_user now uid=(0,0) gid=(0,0)
1998/10/13 15:35:12 acwilli (192.168.0.1) connect to service ep_txt as user willi (uid=1011,gid=1011) (pid 8200)
1998/10/13 15:35:12 tconX service=ep_txt user=willi cnum=39
size=53
smb_com=0x75
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=1
smb_tid=39
smb_pid=51966
smb_uid=100
smb_mid=448
smt_wct=3
smb_vwv[0]=255 (0xFF)
smb_vwv[1]=0 (0x0)
smb_vwv[2]=0 (0x0)
smb_bcc=12
write_socket(5,57)
write_socket(5,57) wrote 57
got message type 0x0 of len 0x2f
1998/10/13 15:35:12 Transaction 10 of length 51
size=47
smb_com=0xc0
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=3
smb_tid=39
smb_pid=51966
smb_uid=100
smb_mid=512
smt_wct=2
smb_vwv[0]=0 (0x0)
smb_vwv[1]=1 (0x1)
smb_bcc=8
switch message SMBsplopen (pid 8200)
become_user uid=(0,1011) gid=(1011,1011)
chdir to /var/spool/samba
is_in_path: WILLI.oF8200
is_in_path: no name list.
unix_clean_name [WILLI.oF8200]
calling open_file with flags=0x1 flags2=0x600 mode=0644
Allocated new file_fd_struct 0, dev = ffffffff, inode = ffffffff
Error opening file WILLI.oF8200 (Permission denied) (flags=513)
fd_attempt_close on file_fd_struct 0, fd = -1, dev = ffffffff, inode = ffffffff, open_flags = 1, ref_count = 1.
1998/10/13 15:35:12 error packet at line 2673 cmd=192 (SMBsplopen) eclass=1 ecode=5
error string = Permission denied
size=35
smb_com=0xc0
smb_rcls=1
smb_reh=0
smb_err=5
smb_flg=136
smb_flg2=1
smb_tid=39
smb_pid=51966
smb_uid=100
smb_mid=512
smt_wct=0
smb_bcc=0
write_socket(5,39)
write_socket(5,39) wrote 39
got message type 0x0 of len 0x85
1998/10/13 15:35:12 Transaction 11 of length 137
size=133
smb_com=0x25
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=3
smb_tid=46
smb_pid=51966
smb_uid=100
smb_mid=577
smt_wct=14
smb_vwv[0]=53 (0x35)
smb_vwv[1]=0 (0x0)
smb_vwv[2]=6 (0x6)
smb_vwv[3]=65535 (0xFFFF)
smb_vwv[4]=0 (0x0)
smb_vwv[5]=0 (0x0)
smb_vwv[6]=5000 (0x1388)
smb_vwv[7]=0 (0x0)
smb_vwv[8]=0 (0x0)
smb_vwv[9]=53 (0x35)
smb_vwv[10]=80 (0x50)
smb_vwv[11]=0 (0x0)
smb_vwv[12]=0 (0x0)
smb_vwv[13]=0 (0x0)
smb_bcc=70
switch message SMBtrans (pid 8200)
chdir to /usr/local/samba/lib
unbecome_user now uid=(0,0) gid=(0,0)
become_user uid=(0,1011) gid=(1011,1011)
chdir to /tmp
trans <\PIPE\LANMAN> data=0 params=53 setup=0
calling named_pipe
named pipe command on <LANMAN> name
Got API command 70 of form <zWrLh> <B13BWWWzzzzzWN> (tdscnt=0,tpscnt=53,mdrcnt=65535,mprcnt=6)
Doing DosPrintQGetInfo
PrintQueue uLevel=2 name=ep_txt
Using cached lpq output
QUEUE2: acaxp: Tue Oct 13 14:07:48 1998: 

QUEUE2: JetDirect lpd: no entries

printqgetinfo: errorcode 0
size=146
smb_com=0x25
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=1
smb_tid=46
smb_pid=51966
smb_uid=100
smb_mid=577
smt_wct=10
smb_vwv[0]=6 (0x6)
smb_vwv[1]=83 (0x53)
smb_vwv[2]=0 (0x0)
smb_vwv[3]=6 (0x6)
smb_vwv[4]=55 (0x37)
smb_vwv[5]=0 (0x0)
smb_vwv[6]=83 (0x53)
smb_vwv[7]=63 (0x3F)
smb_vwv[8]=0 (0x0)
smb_vwv[9]=0 (0x0)
smb_bcc=91
write_socket(5,150)
write_socket(5,150) wrote 150
got message type 0x0 of len 0x72
1998/10/13 15:35:12 Transaction 12 of length 118
size=114
smb_com=0x25
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=3
smb_tid=46
smb_pid=51966
smb_uid=100
smb_mid=640
smt_wct=14
smb_vwv[0]=34 (0x22)
smb_vwv[1]=0 (0x0)

-- 
Chris Christoph P. U. Kukulies kuku at gil.physik.rwth-aachen.de

More information about the samba mailing list